35468 – krb5-appl new security issue CVE-2026-32746

Bug 35468 - krb5-appl new security issue CVE-2026-32746

Summary: krb5-appl new security issue CVE-2026-32746

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-05-05 09:17 CEST by Nicolas Salguero
Modified:	2026-05-07 07:09 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	krb5-appl-1.0.3-16.mga9.src.rpm
CVE:	CVE-2026-32746
Status comment:

Flags:	andrewsfarm: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-05-05 09:17:37 CEST

openSUSE has issued an advisory on May 1:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/X5ABJVGBTZGH3FCDZEF3XQAMMJVC5AWA/

Nicolas Salguero 2026-05-05 09:18:38 CEST

Source RPM: (none) => krb5-appl-1.0.3-18.mga10.src.rpm, krb5-appl-1.0.3-16.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Patch available from openSUSE
Flags: (none) => affects_mga9+
CVE: (none) => CVE-2026-32746

Comment 1 Lewis Smith 2026-05-05 09:26:41 CEST

Nicolas has just applied the patch for Cauldron! Remains Mageia 9 to do.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2026-05-05 09:33:26 CEST

For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated packages fix a security vulnerability:

telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full. (CVE-2026-32746)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/X5ABJVGBTZGH3FCDZEF3XQAMMJVC5AWA/
========================

Updated packages in core/updates_testing:
========================
krb5-appl-clients-1.0.3-16.1.mga9
krb5-appl-servers-1.0.3-16.1.mga9

from SRPM:
krb5-appl-1.0.3-16.1.mga9.src.rpm

Source RPM: krb5-appl-1.0.3-18.mga10.src.rpm, krb5-appl-1.0.3-16.mga9.src.rpm => krb5-appl-1.0.3-16.mga9.src.rpm
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status comment: Patch available from openSUSE => (none)
Flags: affects_mga9+ => (none)
Status: NEW => ASSIGNED

Comment 3 Thomas Andrews 2026-05-07 01:04:41 CEST

No installation issues.

In Bug 30918 these packages were validated after verifying that telnet and ftp were working. Using examples found on the Internet, I have verified that these are indeed still working after the updates.

Giving this an OK, and validating.

Flags: (none) => test_passed_mga9_64+
Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

katnatek 2026-05-07 04:47:39 CEST

Keywords: (none) => advisory

Comment 4 Mageia Robot 2026-05-07 07:09:24 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0122.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.